§61 · Lane 2 — AI Audit and Accountability
ISACA AI Audit Toolkit (WAICAT) the practitioner control library AI audits are conducted against
ISACA (2024) · ISACA AI Audit Toolkit
Bibliographic data
- Title
- ISACA Artificial Intelligence Audit Toolkit (WAICAT) — AI control library (251 controls across 22 families)
- Authors / Issuing body
- ISACA (Information Systems Audit and Control Association)
- Venue / Publisher
- ISACA
- Year
- 2024
- Designation
- Standard
- Licence
- Stable URL — refer to publisher for full licence terms.
- Canonical link
- https://www.isaca.org/resources/artificial-intelligence
How to cite
ISACA (2024). ISACA Artificial Intelligence Audit Toolkit (WAICAT) — AI control library (251 controls across 22 families). ISACA. https://www.isaca.org/resources/artificial-intelligence.
ISACA's AI audit control library: 251 controls across 22 families, each carrying a six-lens assessment model and cross-framework mappings (NIST SP 800-53, EU AI Act, Secure Controls Framework). The practitioner toolkit the audit profession uses to examine AI systems end to end.
Why it matters for NETEVO
The first question in any AI audit is "audit against what?" ISACA's AI Audit Toolkit answers it with a practitioner control library — AI-specific controls across families spanning model governance, lifecycle management, data, security, and accountability, each carrying an assessment model and mappings out to frameworks like NIST and the EU AI Act. It is the closest thing the audit profession has to an off-the-shelf AI control set.
It turns "audit-ready" from a claim into a checklist. Where the academic blueprints describe how AI auditing should work, this toolkit enumerates the controls an auditor will look for. For an organisation that wants to survive — not merely commission — an AI assurance review, the gap to close is the distance between each control and demonstrable evidence that it operates.
That distance is what NETEVO engineers. Rather than a policy binder mapped to the control library, the Law-to-Code Methodology delivers each control as an executable, evidence-emitting mechanism, so an AI audit consumes telemetry the system already produces. The control library defines the target; NETEVO builds the controls that meet it — and proves they ran.
Where NETEVO applies this
- AI Governance in ANZ Whitepaper — supporting — AI control coverage for the governance mapping
- Listed Leaders ICP — boards commissioning AI assurance want controls auditors recognise